Yu Blog

Latest Thinking

12

Jul 2006

Online banking security: what is the acceptable limit?

Online banking security is becoming more and more of a necessity, considering the number of fraudulent banking emails people receive these days. I don’t know anybody who would complain about increased security measures to protect their money. That being said, I seriously think we’re reaching the threshold of ridiculous, as far as verifying users’ ID when attempting to access their banking sites.

Take, for example, the largest private banking website in Brazil: (www.bradesco.com.br). Bradesco was one of the first four banks in the world to offer its clients a fully transactional site in 1995. Follow me, if you will, and experience the run-around I had to go through for years, when I was living in Brazil, to access my personal data.

1. On the home page: enter the branch and account number.

2. A pop-up window opens and there are three fields to fill in:

2.1 Status (account holder, partner, etc.). The options are available from a drop-down menu. So far so good.

2.2 A four letter or four-word password. Okay, things start to get complicated here. You can’t actually type the characters; you have to input them using a virtual keyboard, which changes key positions every visit! When this keyboard was implemented a few years ago, it was also recommended that we change its contrast before using it.

2.3 A secret, 22-character code. Try and find something that long, which is easy to remember, easy to type and secure and you’ll understand just how difficult this step can be.

3. If everything goes well up to here, there is one last step, which has recently been implemented. Depending on your client status, one of the two following screens will appear:

Preferred clients are asked to input six numbers. This time though, they’re not part of a password, but generated by a separate electronic device.

The screen

The device

Regular clients are asked to input three numbers, which must be found in a specific position on a card containing a matrix of characters.

The screen

The card

4. Finally, once this marathon of passwords, secret phrases, numbers and letters has been completed, the account opens and the user can begin to perform the desired transactions, that is, if she can remember why she signed on in the first place…

Yikes! I find it hard to imagine an ordinary user managing to wade his way through this maze and completing a transaction. Further, the majority of transactions require another password to confirm the activity. All this requires a great deal of patience and goodwill.

How, then, is it possible that the number of users accessing such difficult products was able to grow 49.7% in 2005 over 2004? According the Brazilian Banking Federation (Febraban), last year 16.5% of all banking transactions in Brazil were performed online.

From the user’s perspective, several of the following statements could explain this growth:

1) “It’s difficult, but I’ve learned how to work with it!”
After a difficult initial visit, the user gets used to the process and no longer asks herself what to do. This leads one to believe that process loyalty is directly proportional to the investment in learning required to acquire the new process. The more time and energy invested in learning something, even if it’s imperfect, the more you retain it!

2) “Sure it’s long online, but it’s still not as long as the lines in the branch!”
Waiting lines are longer and longer, and harder to stand, not to mention the time it takes to get to the actual bank.
3) “It’s hard, but it?
??s cheaper!”
Transactions are cheaper online than in-person. Banks drop several normal fees to motivate their clients to use their websites.

5) “I don’t have a choice. All banks have a similar system.”
The details may vary, but the experience is pretty much the same everywhere in Brazil.

6) “Authentication is complicated, so I use the system less often. I still use it though…”
Online behaviour mimics real life: clients consolidate their transactions and only go to the bank once a month. The number of visits per user decreases, but the number of users increases.

Whatever the case, I truly believe we’re reaching the maximum number of steps acceptable to access a secure system. Designers can’t continue adding an infinite number of security measures that impact the user and assume that the above statements will remain true.